​SYSTEM SAFETY & SOFTWARE SAFETY EXPERTS

DEFENSE SYSTEM SAFETY

HCRQ advised on the software safety case for the Control and Instrumentation System of the Royal Navy's Nuclear Powered Astute Class Submarines.

The Astute Class will undertake a range of tasks including: support to Vanguard Class submarines, anti-submarine warfare, anti-surface ship warfare, surveillance and intelligence gathering, and land attack using Tomahawk Land Attack Missiles (TLAM).

Occasionally, one person has become the definitive source of information on system safety within an organization but their approach has been flawed. Occasionally, clients neglect to specify the desired "tasks" within 882, leaving the door wide open. All of this has been made evident to us during our consulting and training efforts.

Contact us if you would like to purchase MIL-STD-882 Data Item Descriptions (DIDs). You won't find DIDs of this caliber elsewhere.

EVOLUTION

MIL-STD-882 evolved as follows:

AF BSD Exhibit 62-41 {1962}

MIL-S-38130 {1963}

MIL-S-381308A {June 1966, March 1967}

MIL-STD-882 {July 1969}

MIL-STD-882A {June 1977}

MIL-STD-882B {March 1984}

MIL-STD-882B Notice 1 {July 1987} - HCRQ used this standard

MIL-STD-882C {January 1993} - HCRQ used this standard

MIL-STD-882C Notice 1 {January 1996} - HCRQ used this standard

MIL-STD-882D (Acquisition Reform) {February 2000}

MIL-STD-882D Change 1 {Draft 2010}

MIL-STD-882E {May 2012} - HCRQ uses this standard

MIL-STD-882C

OVERVIEW

"C" was a very "c"omplete system safety standard.

At the time, a particularly useful combination was MIL-STD-882C sandwiched to the 300 series software tasks from MIL-STD-882B with CCA added from ED-135/SAE ARP4761.

SOFTWARE ASPECTS

MIL-STD-882C defined Software Control Categories as follows:

I - Software exercises autonomous control over potentially hazardous hardware systems, subsystems or components without the possibility of intervention to preclude the occurrence of the hazard. Failure of the software or a failure to prevent an event leads directly to a hazard's occurrence.

IIa - Software exercises control over potentially hazardous hardware systems, subsystems or components allowing time for intervention by independent safety systems to mitigate the hazard. However, these systems by themselves are not considered adequate.

IIIb - Software generates information of a safety-critical nature used to make safety-critical decisions. There are several, redundant, independent safety measures for each hazardous event.

IV - Software does not control safety-critical hardware systems, subsystems or components and does not provide safety-critical information.

These Software Control Categories were similar in concept, but NOT equivalent to:

Software Development Assurance Levels (defined in ED-79A/SAE ARP4754A and utilized by ED-12C/RTCA DO-178C),

Software Integrity Levels (defined in and utilized by IEC 15026), and

SoftWare Assurance Levels (defined in and utilized by ED-153).

MIL-STD-882D

OVERVIEW

What can one say? This was a big mistake.We went from 116 pages in "C" to 31 pages in "D".

MIL-STD-882E

OVERVIEW

MIL-STD-882E was released May 11, 2012.MIL-STD-882E introduced new terminology, new requirements pertaining to old tasks, new tasks. New terminology? Try:

Safety-Significant

Event Risk

New requirements pertaining to old tasks? Try:

SSPP

Hazard Tracking System

New tasks? Try:

Hazard Management Plan (HMP)

Hazardous Materials Management Plan (HMMP)

System Requirements Hazard Analysis (SRHA)

Functional Hazard Analysis (FHA)

System-of-Systems (SoS) Hazard Analysis

Environmental Hazard Analysis (EHA)

There are dilemmas (e.g., some things that are flat-out wrong), surprises, and confusion waiting.

HCRQ offers both a course MIL-STD-882E System Safety and a webinar MIL-STD-882E In-depth. In terms of the webinar alone, it is a very insightful presentation which has been attended by DOD and many defense contractors. As always, you can count on HCRQ to provide you unique and practical insight.